Google
 
   
Login
Username:

Password:


Lost Password?

Register now!
Search

Advanced Search
Main Menu
top books
Polls
What do you think about php-deluxe.net?
Excellent!
Cool
Hmm..not bad
What the hell is this?
encyclopedia
M0n0wall
Internet chess server
OpenFTS
Mary programming language
Bentley Systems
Gentoo/OpenBSD
Unix billennium
recommendation
compare webbrowser
Freenet DSL
Who's Online
6 user(s) are online (6 user(s) are browsing encyclopedia)

Members: 0
Guests: 6

more...
browser tip
Unix Befehle
manual of unix befehle
recommendation!
Sponsored
partner

SQL injection

SQL injection is a security vulnerability that occurs in the Database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Assuming the following code is embedded in the application, and a parameter userName that contains the user s name is given, SQL injection is possible:

statement := SELECT * FROM users WHERE name = + userName + ;

If supplied with a ; DROP TABLE users; SELECT * FROM data WHERE name LIKE % as userName , the following SQL statement would be generated:

SELECT * FROM users WHERE name = a ; DROP TABLE users; SELECT * FROM data WHERE name LIKE % ;

The database would execute the statement in order, selecting data, dropping (deleting) the users table and selecting data that maybe was not meant to be displayed to web users. In essence, any data in the database available to the user connecting to the database could be read and/or modified.

= Examples =

SQL injection is easy to work around with in most programming languages that target web applications or offer functionality. In Perl DBI, the DBI::quote method escapes special characters (assuming the variable $sql holds a reference to a DBI object):

$query = $sql->prepare ( select * from users where name = . $sql->quote($user_name) );

Or one may use the placeholder feature (with automatic quoting) as follows:

$query = $sql->prepare( select * from users where name = ); $query->execute($user_name);

In PHP, there are different built-in functions to use for different DBMSes. For MySQL, the equivalent is the built-in function mysql_real_escape_string:

$query_result = mysql_query ( select * from users where name = . mysql_real_escape_string($user_name) . );

In the Java_programming_language programming language, the equivalent is the PreparedStatement class.

Instead of

Connection con = (acquire Connection) Statement stmt = con.createStatement(); ResultSet rset = stmt.executeQuery( SELECT * FROM users WHERE name = + userName + ; );

use the following

Connection con = (acquire Connection) PreparedStatement pstmt = con.prepareStatement( SELECT * FROM users WHERE name = ); pstmt.setString(1, userName); ResultSet rset = pstmt.executeQuery();

In the Microsoft_.NET (or Mono_development_platform) programming language CSharp , the equivalent are the ADO.NET SqlCommand (for Microsoft SQL Server) or OracleCommand (for Oracle s database server) objects. The example below shows how to prevent injection attacks using the SqlCommand object. The code for other ADO.NET providers is very similar, but may vary slightly depending on the specific implementation by that provider vendor.

Instead of

using( SqlConnection con = (acquire connection) ) { con.Open(); using( SqlCommand cmd = new SqlCommand( SELECT * FROM users WHERE name = + userName + , con) ) { using( SqlDataReader rdr = cmd.ExecuteReader() ){ ... } } }

use the following

using( SqlConnection con = (acquire connection) ) { con.Open(); using( SqlCommand cmd = new SqlCommand( SELECT * FROM users WHERE name = @userName , con) ) { cmd.Parameters.Add( @userName , userName); using( SqlDataReader rdr = cmd.ExecuteReader() ){ ... } } }

= See also =

*Code injection

= External links =

*[http://www.derkeiler.com/Mailing-Lists/securityfocus/secprog/2001-07/0001.html Abusing Poor Programming Techniques in Webserver Scripts via SQL Injection] *[http://www.nextgenss.com/papers/advanced_sql_injection.pdf Advanced SQL Injection Attacks] *[http://imperva.com/application_defense_center/glossary/sql_injection.html What is SQL injection] *[http://spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf Web Applications and SQL Injection] *[http://www.linuxsecurity.com/docs/Hack-FAQ/computers/sql-injection-attack.shtml What is an SQL Injection Attack / Vulnerability] *Article [http://governmentsecurity.org/articles/SQLInjectionModesofAttackDefenceandWhyItMatters.php SQL Injection: Modes of Attack, Defence, and Why It Matters] by Stuart McDonald *Article [http://informit.com/articles/article.aspp=30124&seqNum=3 SQL Server Attacks: Hacking, Cracking, and Protection Techniques] by Seth Fogie and Cyrus Peikari *Article [http://securityfocus.com/infocus/1644 SQL Injection and Oracle, Part One] by Pete Finnigan *Article [http://www.sitepoint.com/article/sql-injection-attacks-safe SQL Injection Attacks - Are You Safe] by Mitchell Harper *Article [http://winnetmag.com/Article/ArticleID/42216/42216.html Protecting Against SQL Injection] by Umachandar Jayachandran *Article [http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/ Stop SQL Injection Attacks Before They Stop You] by Paul Litwin
  • [http://msdn.microsoft.com/library/default.aspurl=/library/en-us/dnsqlmag04/html/InjectionProtection.asp Injection Protection]
  • [http://governmentsecurity.org/articles/SQLinjectionBasicTutorial.php SQL injection Basic Tutorial]
  • [http://citeseer.ist.psu.edu/641328.html SQLrand: Preventing SQL Injection Attacks] by Stephen W. Boyd and Angelos D. Keromytis
  • [http://www.cgisecurity.com/questions/sql.shtml What is SQL Injection] By CGISecurity.com]]
  • [http://www.cgisecurity.com/questions/blindsql.shtml What is Blind SQL Injection] By CGISecurity.com]]
  • [http://www.acunetix.com/wvs/ Scan for SQL injection vulnerabilities] By acunetix.com]]
    		•